Re: [leaf-user] Can openresolv.lrp be added to Bering-uClibc to provide resolvconf for wireguard

[LEAF <le...@pa...>]

Hi ET,

This is going to be a bit more than a "Why do I want this" and more a 
how did I get to wanting this.

I found this tread on the leaf-user mail list:

Re: [leaf-user] wireguard and shorewall From: John S. <jo...@sa...> - 
2020-12-05 13:02:01 with some back and forth with KP

> gatekeeper# /etc/init.d/wireguard restart > Stopping wireguard VPN server on interface wg0 > [#] ip 
link delete dev wg0 > Starting wireguard VPN server on interface wg0
> [#] ip link add wg0 type wireguard
> [#] wg setconf wg0 /dev/fd/63
> [#] ip -4 address add 192.168.17.1/24 dev wg0
> [#] ip link set mtu 1420 up dev wg0
> 

When I do the same thing, I get:

    router# /etc/init.d/wireguard restart
    Stopping wireguard VPN server on interface wg0
    wg-quick: `wg0' is not a WireGuard interface
    Starting wireguard VPN server on interface wg0
    [#] ip link add wg0 type wireguard
    [#] wg setconf wg0 /dev/fd/63
    [#] ip -4 address add 10.2.0.2/32 dev wg0
    RTNETLINK answers: Network is unreachable
    [#] ip link set mtu 1420 up dev wg0
    [#] resolvconf -a wg0 -m 0 -x
    /usr/bin/wg-quick: line 32: resolvconf: command not found
    [#] ip link delete dev wg0

Ignoring the following as ip link hasn't happened yet and eth0 has no 
net access at the moment on the VM:

    wg-quick: `wg0' is not a WireGuard interface
    RTNETLINK answers: Network is unreachable

But wg-quick has changed and now tries to set resolv.conf using the 
script resolvconf

    [#] resolvconf -a wg0 -m 0 -x
    /usr/bin/wg-quick: line 32: resolvconf: command not found

So hunting down where resolvconf comes from using the Debian package 
archive I found:

File 
<https://packages.debian.org/search?suite=trixie&arch=any&mode=exactfilename&searchon=contents&keywords=resolvconf&sort_by=file> 
	Packages 
<https://packages.debian.org/search?suite=trixie&arch=any&mode=exactfilename&searchon=contents&keywords=resolvconf&sort_by=pkg> 

/etc/dhcp/dhclient-enter-hooks.d/resolvconf 	openresolv 
<https://packages.debian.org/trixie/openresolv>,resolvconf 
<https://packages.debian.org/trixie/resolvconf>
/etc/init.d/resolvconf 	resolvconf 
<https://packages.debian.org/trixie/resolvconf>
/etc/network/if-down.d/resolvconf 	openresolv 
<https://packages.debian.org/trixie/openresolv>,resolvconf 
<https://packages.debian.org/trixie/resolvconf>
/sbin/resolvconf 	openresolv 
<https://packages.debian.org/trixie/openresolv>[mipsel],resolvconf 
<https://packages.debian.org/trixie/resolvconf>[mipsel]
/usr/sbin/resolvconf 	openresolv 
<https://packages.debian.org/trixie/openresolv>[not mipsel],resolvconf 
<https://packages.debian.org/trixie/resolvconf>[not 
mipsel],systemd-resolved 
<https://packages.debian.org/trixie/systemd-resolved>[not mips64el, mipsel]
/usr/share/bash-completion/completions/resolvconf 	bash-completion 
<https://packages.debian.org/trixie/bash-completion>
/usr/share/lintian/overrides/resolvconf 	resolvconf 
<https://packages.debian.org/trixie/resolvconf>

So as proof of concept, I downloaded the openresolv.deb, extracted it, 
copied the files to the router with sftp then chmod the scripts to 755.
Finally placed the list of files from the openresolv deb into the local 
packages list of files to be saved (ignoring all the /usr/share/* stuff) 
, so it survives a reboot.

    /etc/dhcp/dhclient-enter-hooks.d/resolvconf
    /etc/network/if-down.d/resolvconf
    /etc/network/if-up.d/000resolvconf
    /etc/ppp/ip-down.d/000resolvconf
    /etc/ppp/ip-up.d/000resolvconf
    /etc/resolvconf.conf
    /usr/lib/resolvconf/dnsmasq
    /usr/lib/resolvconf/libc
    /usr/lib/resolvconf/libc.d/avahi-daemon
    /usr/lib/resolvconf/libc.d/mdnsd
    /usr/lib/resolvconf/named
    /usr/lib/resolvconf/pdns_recursor
    /usr/lib/resolvconf/pdnsd
    /usr/lib/resolvconf/unbound
    /usr/sbin/resolvconf

Which results in:

    router# /etc/init.d/wireguard restart
    Stopping wireguard VPN server on interface wg0
    wg-quick: `wg0' is not a WireGuard interface
    Starting wireguard VPN server on interface wg0
    [#] ip link add wg0 type wireguard
    [#] wg setconf wg0 /dev/fd/63
    [#] ip -4 address add 10.2.0.2/32 dev wg0
    RTNETLINK answers: Network is unreachable
    [#] ip link set mtu 1420 up dev wg0
    [#] resolvconf -a wg0 -m 0 -x
    [#] wg set wg0 fwmark 51820
    [#] ip -6 route add ::/0 dev wg0 table 51820
    [#] ip -6 rule add not fwmark 51820 table 51820
    [#] ip -6 rule add table main suppress_prefixlength 0
    [#] ip6tables-restore -n
    modprobe: can't open 'modules.dep': No such file or directory
    ip6tables-restore v1.8.8 (legacy): ip6tables-restore: unable to
    initialize table 'raw'

    Error occurred at line: 1
    Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more
    information.
    [#] resolvconf -d wg0 -f
    [#] ip -6 rule delete table 51820
    [#] ip -6 rule delete table main suppress_prefixlength 0
    [#] ip link delete dev wg0

So resolvconf is happy, but we have a bunch of missing modules that 
appear to not be able to be loaded by modprobe.
Probably because the modules is a squash-fs now and needs to be added 
with /usr/sbin/mount_modules before modprobe or installed via 
/usr/sbin/install_modules. I don't know how to make modprobe do 
automatically this.

So by a process of elimination I put all the needed module names in the 
/etc/modules:

    # IP tables for wireguard
    #

    # Common IPV4 and IPV6
    x_tables
    xt_connmark
    xt_comment
    xt_mark
    xt_addrtype
    nf_conntrack
    nf_defrag_ipv4
    nf_defrag_ipv6
    libcrc32c

    # IPV4
    #
    ip_tables
    iptable_raw
    iptable_filter
    iptable_mangle

    # IPV6
    #
    ip6_tables
    ip6table_raw
    ip6table_filter
    ip6table_mangle

But I'm thinking there must be an easier way, that I just don't know yet.

Which finally gives me:

    router# /etc/init.d/wireguard restart
    Stopping wireguard VPN server on interface wg0
    [#] ip -4 rule delete table 51820
    [#] ip -4 rule delete table main suppress_prefixlength 0
    [#] ip -6 rule delete table 51820
    [#] ip -6 rule delete table main suppress_prefixlength 0
    [#] ip link delete dev wg0
    [#] resolvconf -d wg0 -f
    [#] iptables-restore -n
    [#] ip6tables-restore -n
    Starting wireguard VPN server on interface wg0
    [#] ip link add wg0 type wireguard
    [#] wg setconf wg0 /dev/fd/63
    [#] ip -4 address add 10.2.0.2/32 dev wg0
    RTNETLINK answers: Network is unreachable
    [#] ip link set mtu 1420 up dev wg0
    [#] resolvconf -a wg0 -m 0 -x
    [#] wg set wg0 fwmark 51820
    [#] ip -6 route add ::/0 dev wg0 table 51820
    [#] ip -6 rule add not fwmark 51820 table 51820
    [#] ip -6 rule add table main suppress_prefixlength 0
    [#] ip6tables-restore -n
    [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
    [#] ip -4 rule add not fwmark 51820 table 51820
    [#] ip -4 rule add table main suppress_prefixlength 0
    [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
    [#] iptables-restore -n

  and resolv.conf is automatically updated:

    # Generated by resolvconf
    # Included file /etc/resolv.conf.head starts here
    # Included file /etc/resolv.conf.head ends here
    nameserver 10.2.0.1
    # Included file /etc/resolv.conf.tail starts here
    # Included file /etc/resolv.conf.tail ends here

I just need to connect the VM back to the internet via the CPE and make 
sure the VPN link works, then tackle the shorewall part of the equation. 
I currently have shorewall disabled from starting.

Hope this wasn't too draw out,
Mark

On 30/03/2026 10:47 pm, Erich Titl wrote:
> Hi
>
> Am 30.03.2026 um 03:26 schrieb LEAF:
>> Hello all,
>>
>> It's been quite a while since I've used Bering-uClibc and been on the 
>> list. Hope everyone is well.
>>
>> As background, I'm setting Linux Mint booting off a CD image on a 
>> VMWare 17 VM to allow to access the internet using wireguard running 
>> on another VMWare 17 VM using Bering-uClibc_7.2.2_x86_64 
>> _isolinux_vga.iso installed on a hard drive and booting via syslinux.
>>
>> Currently I have Linux Mint VM -> Bering-uClibc VM -> CPE Router -> 
>> Internet = works fine without wireguard.
>>
>> I tried setting this up with Bering- 
>> uClibc_7.5.2_x86_64_isolinux_vga.iso, but ran into a problems with 
>> trying to install syslinux on the hard drive where it kept reporting 
>> the hard drive was busy. So I went back to 7.2.2 as I already had 
>> this image. I'll get some proper 7.5.2 error messages for this at a 
>> later date when I try again.
>>
>> Anyway, when running /etc/init.d/wireguard start I get a message from 
>> wireguard saying resolvconf wasn't found and the VPN link isn't 
>> setup. I looked at the Debian packages to see where resolvconf comes 
>> from and found it is located in openresolv_3.13.2-3_all.deb. Looking 
>> at the files in openresolv they all appear to be just scripts.
>>
>> So I'm wondering if the good people at Bering-uClibc could make an 
>> openresolv.lrp and add this to the LEAF system going forward.
>
> I am running wireguard on various LEAF boxes without problems. Just to 
> let me understand, why would openresolv be needed by wireguard? If I 
> understand you correctly then wireguard is probably looking for 
> resolv.conf which is built by one of the DNS packages available.
>
> Then if your setup is not dynamic you could always build your own 
> resolv.conf manually.
>
> cheers
> ET
>